Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 883f89e6 authored by Kenny Root's avatar Kenny Root
Browse files

Resume-on-Reboot: add logs to aid in debugging 

There are some failures during CTS tests which fail to arm the
RebootEscrow HAL, but the reason is unclear due to lack of logging
during error cases. This adds the missing error logging for cases that
shouldn't happen.

It also adds logs for success cases that should only happen once per
boot: escrow key restoration per user and escrow key arming per boot.

Test: atest CtsAppSecurityHostTestCases:android.appsecurity.cts.ResumeOnRebootHostTests
Change-Id: Ia2d015dda3eae3b1bbba2d898a485cd2b174ad1a
parent be601fbd

services/core/java/com/android/server/locksettings/RebootEscrowManager.java

+9 −6
Original line number Diff line number Diff line
@@ -150,6 +150,7 @@ class RebootEscrowManager { 
    private RebootEscrowKey getAndClearRebootEscrowKey() {

        IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();

        if (rebootEscrow == null) {

            Slog.w(TAG, "Had reboot escrow data for users, but RebootEscrow HAL is unavailable");

            return null;

        }
@@ -197,12 +198,13 @@ class RebootEscrowManager { 


            mCallbacks.onRebootEscrowRestored(escrowData.getSpVersion(),

                    escrowData.getSyntheticPassword(), userId);

            Slog.i(TAG, "Restored reboot escrow data for user " + userId);

            return true;

        } catch (IOException e) {

            Slog.w(TAG, "Could not load reboot escrow data for user " + userId, e);

        }

            return false;

        }

    }



    void callToRebootEscrowIfNeeded(@UserIdInt int userId, byte spVersion,

            byte[] syntheticPassword) {
@@ -212,16 +214,13 @@ class RebootEscrowManager { 


        IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();

        if (rebootEscrow == null) {

            mRebootEscrowWanted = false;

            setRebootEscrowReady(false);

            Slog.w(TAG, "Reboot escrow requested, but RebootEscrow HAL is unavailable");

            return;

        }



        RebootEscrowKey escrowKey = generateEscrowKeyIfNeeded();

        if (escrowKey == null) {

            Slog.e(TAG, "Could not generate escrow key");

            mRebootEscrowWanted = false;

            setRebootEscrowReady(false);

            return;

        }
@@ -250,6 +249,7 @@ class RebootEscrowManager { 
            try {

                key = RebootEscrowKey.generate();

            } catch (IOException e) {

                Slog.w(TAG, "Could not generate reboot escrow key");

                return null;

            }
@@ -286,6 +286,7 @@ class RebootEscrowManager { 


        IRebootEscrow rebootEscrow = mInjector.getRebootEscrow();

        if (rebootEscrow == null) {

            Slog.w(TAG, "Escrow marked as ready, but RebootEscrow HAL is unavailable");

            return false;

        }
@@ -295,6 +296,7 @@ class RebootEscrowManager { 
        }



        if (escrowKey == null) {

            Slog.e(TAG, "Escrow key is null, but escrow was marked as ready");

            return false;

        }
@@ -302,8 +304,9 @@ class RebootEscrowManager { 
        try {

            rebootEscrow.storeKey(escrowKey.getKeyBytes());

            armedRebootEscrow = true;

            Slog.i(TAG, "Reboot escrow key stored with RebootEscrow HAL");

        } catch (RemoteException e) {

            Slog.w(TAG, "Failed escrow secret to RebootEscrow HAL", e);

            Slog.e(TAG, "Failed escrow secret to RebootEscrow HAL", e);

        }

        return armedRebootEscrow;

    }

services/core/java/com/android/server/recoverysystem/RecoverySystemService.java

+11 −8
Original line number Diff line number Diff line
@@ -359,11 +359,17 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo 
        mContext.enforceCallingOrSelfPermission(android.Manifest.permission.RECOVERY, null);



        if (!mPreparedForReboot) {

            Slog.i(TAG, "Reboot requested before prepare completed");

            return false;

        }



        if (updateToken != null && !updateToken.equals(mUnattendedRebootToken)) {

            Slog.i(TAG, "Reboot requested after preparation, but with mismatching token");

            return false;

        }



        if (updateToken != null && updateToken.equals(mUnattendedRebootToken)) {

        if (!mInjector.getLockSettingsService().armRebootEscrow()) {

            Slog.w(TAG, "Failure to escrow key for reboot");

            return false;

        }
@@ -372,9 +378,6 @@ public class RecoverySystemService extends IRecoverySystem.Stub implements Reboo 
        return true;

    }



        return false;

    }



    /**

     * Check if any of the init services is still running. If so, we cannot

     * start a new uncrypt/setup-bcb/clear-bcb service right away; otherwise